North Korea is now mining crypto to launder the stolen loot
In the cryptocurrency ecosystem, coins have a history, traced in the immutable blockchains that underpin their economy. The only exception, somehow, is cryptocurrency that is newly created by the computational power of its owner. So it turns out that North Korean hackers have begun adopting a new trick to launder the coins they steal from victims around the world: pay their dirty, stolen coins to services that allow them to mine innocent new ones.
Today, cybersecurity firm Mandiant published a report on a prolific North Korean state-sponsored hacking group it now calls APT43, sometimes known by the names Kimsuky and Thallium. The group, whose activities suggest its members work for North Korea’s Reconnaissance General Bureau spy agency, has been primarily focused on espionage, hacking think tanks, academics and private industry from the US to Europe, South Korea and Japan since at least 2018, mostly with phishing campaigns designed to collect credentials from victims and plant malware on their machines.
Like many North Korean hacking groups, APT43 also maintains a sideline in profit-focused cybercrime, according to Mandiant, stealing any cryptocurrency that could enrich the North Korean regime or even just fund the hackers’ own operations. And as regulators around the world have tightened their grip on exchanges and money-laundering services that thieves and hackers use to cash out criminal coins, APT43 appears to be trying out a new method to cash out the funds it steals while preventing them from being seized or frozen: It pays the stolen cryptocurrency into “hashing services” that allow anyone to rent time on computers used to mine cryptocurrency, and harvest newly mined coins that have no apparent ties to criminal activity.
That mining trick allows APT43 to take advantage of the fact that cryptocurrency is relatively easy to steal, while avoiding the forensic trail of evidence it leaves on blockchains, which can make it difficult for thieves to cash out. “It breaks the chain,” says Joe Dobson, a threat intelligence analyst at Mandiant. “This is like a bank robber who steals silver from a bank vault and then goes to a gold digger and pays the miner in the stolen silver. Everyone is looking for the silver while the bank robber is walking around with fresh, newly mined gold.”
Mandiant says it first started seeing signs of APT43’s mining-based laundering technique in August 2022. Since then, it’s seen tens of thousands of dollars worth of crypto flow into hashing services — services like NiceHash and Hashing24, which allow anyone to buy and sell computing power to calculate the mathematical strings known as “hashers” necessary to mine most cryptocurrencies – from what it believes are APT43 crypto wallets. Mandiant says it has also seen similar amounts flow to APT43 wallets from mining “pools,” services that allow miners to contribute hash resources to a group that pays out a share of any cryptocurrency the group mines collectively. (Mandiant declined to name either the hashing services or the mining pools in which APT43 participated.)
In theory, the payouts from these pools should be clean, with no ties to APT43’s hackers—that seems to be the point of the group’s money-laundering exercise, after all. But in some cases of operational sloppiness, Mandiant says it found the funds were still mixed with crypto in wallets it had previously identified from its years of tracking APT43 hacking campaigns.
The five-figure sums Mandiant saw laundered through this mining process, the company’s analysts admit, are nowhere near the size of the massive cryptoheists North Korean hackers have carried out in recent years, stealing hundreds of millions of dollars in cases such as breaches of the Harmony Bridge or Ronin Bridge services. That may be because only a small fraction of North Korea’s mining-based money laundering has been detected.
But it could also be because APT43 is not primarily tasked with stealing cryptocurrency, says Mandiant analyst Michael Barnhart. Instead, the group appears to have been ordered to generate enough profits through cybercrime to fund its espionage efforts. As a result, it has attempted to steal smaller sums of crypto from a wide range of victims, he says, with the goal of living independently. “They’re not going to get money,” Barnhart says. “They’re just trying to make ends meet.”
Companies that track cryptocurrency, including Chainalysis and Elliptic, say they have seen criminal actors seek newly mined cryptocurrency to fund their activities or dilute and obscure their profits. For example, Elliptic says it has seen a group affiliated with the militant organization Hamas mining cryptocurrency as a means of what it describes as terrorist financing. But Arda Akartuna, a threat analyst at Elliptic, says paying dirty cryptocurrency to a hashing service to mine clean crypto isn’t a trick he’s seen before.
Akartuna points out that mining pools are not as regulated and scrutinized as other crypto actors that are sometimes used for money laundering, such as cryptocurrency exchanges, “mixing services” designed to hide the trail of users’ coins, and NFT marketplaces. “But they probably should be,” he says.
“It is quite worrying that many mining pools do not actually show who participates in them,” says Akartuna. “So you could potentially have illegal actors contributing computing power to the mining pools, and those mining pools don’t have the tools to identify them.”
It suggests that authorities seeking money laundering and criminal financiers may need to shift some of their focus away from the middlemen of the crypto-economy towards the miners who act as the original source. Not all the fresh digital cash is as innocent as it may seem.